ASA 8.0 static route allow only ICMP traffic

epasqualotto · ‎01-05-2011

Hi all, I have a strage problem with my ASA.

My LAN is 192.168.1.0/24 and my ASA ip is 192.168.1.252, I have added a router with IP 192.168.1.228 that have a network 192.168.10.0/24 inside it.

I want that all my client can reach all client of 192.168.10.0 network.

I have added on my conf:

same-security-traffic permit intra-interface

This is my Inside ACL:

access-list Inside_access_in extended permit ip object-group Internet any
access-list Inside_access_in extended permit object-group Porte_aperte object-group Navigazione_limitata any
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended deny ip object-group NO_Internet any

I've also added:

static (Inside,Inside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (Inside,Inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

And this is the static route:

route Inside 192.168.10.0 255.255.255.0 192.168.1.228 1

I can ping all client on 192.168.10.0 networks but I can't connect to it with any port.

In attach all my conf

Kureli Sankar · ‎01-05-2011

Is this absolutely necessary that you have to resolve this using U-Turn translation?

topology:

192.168.10.0/24---Router---192.168.1.0/24---ASA--Internet

All the hosts in both the networks 192.168.1.0/24 and 192.168.10.0/24 network should point to the router's respective interface for their GW.

The router should point to the ASA for its default route.

The route that you have on the ASA is correct.

If you want to fix this the way it is then you need to add two routes on your inside router so, it sends the response destined to the 192.168.1.0/24 back to the firewall.

On the router:

ip route 192.168.1.0 255.255.255.128 192.168.1.252

ip route 192.168.1.128 255.255.255.128 192.168.1.252

-KS

epasqualotto · ‎01-05-2011

thanks Sankar, all the client have the correct gateway and I've added this route to my router:

ip route 192.168.1.0 255.255.255.0 192.168.1.252

But I think isn't necessary.

What I see on the log file is:

Deny TCP (no connection) from 192.168.1.189/2729 to 192.168.10.253/80 flags RST on interface Inside

Kureli Sankar · ‎01-05-2011

You mean the clients are pointing to their GW as the router? If so you do not need this route on the router.

Pls. remove it and add the default gw.

conf t

no ip route 192.168.1.0 255.255.255.0 192.168.1.252 ---> remove

ip route 0.0.0.0 0.0.0.0 192.168.1.252 ---> add

-KS

epasqualotto · ‎01-05-2011

Yes, I already have this default route. But nothing is working....

Kureli Sankar · ‎01-05-2011

Hmm..that is interesting. Now, at one point you had static (inside,inside) added so remove all those U-Turn statics that you added, issue a "clear xlate" (this will clear all translations going through the firewall so be warned) and try this again.

If you have the following configured.

1. All hosts in 192.168.1.0/24 should point to the router's IP address 192.168.1.x for their GW

2. All hosts in the 192.168.10.0/24 should also point to the router's IP address 192.168.10.x for their GW

3. Router should point to the ASA for its default route.

4. ASA should have a route for the 192.168.10.0/24 pointing to the router's IP

That is all you need.

If tcp traffic doesn't work then we need to watch the logs or gather captures on the ASA or on the host and see what might be going on.

-KS

artur.vardanyan · ‎02-16-2015

Hi,

I have the same issue with my Cisco ASA, after the static route is configured, I can ping the remote network devices and nothing else. For example I can ping IP phone or IP cam but can't browse or connect with telnet.

Did you find any solution for this ?

Will appreciate your help, thank you.